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ABSTRACT 


The increasingly important role of Long Term Evolution (LTE) has increased security 
concerns among the service provider and end users and made security of the network 
even more indispensable. In this thesis, the LTE specifications are examined, and several 
security vulnerabilities of LTE mechanisms, in particular those that exist within the Layer 
2 protocol of the LTE network, are identified. Among these mechanisms, the power 
control mechanism for LTE 1s further explored. The unprotected power control signal 
together with the Cell Radio Network Temporary Identifier (CRNTI) can be exploited to 
trick the victim User Equipment (UE) to transmit at a much higher than required power, 
which introduces significant inter-cell interference to adjacent base stations, evolved 
NodeB (eNodeB). The ways that an attacker can maliciously manipulate the control field 
of the power control mechanism are demonstrated. The effectiveness of such attack 1s 
evaluated with respect to the victim UEs and the adjacent eNodeBs. The impacts include 
reduction of battery lifespan of victim UE to 33% of the original battery lifetime and 
reduction in reverse channel signal-to-interference ratio (SIR) of adjacent eNodeB by 3.4 


dB causing a decrease in throughput of 37%. 
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EXECUTIVE SUMMARY 


The rapid increase in data usage in mobile communication systems has led to the 
development of the fourth generation (4G) Long Term Evolution (LTE) standard. LTE is 
the current generation wireless data communications standard that 1s poised to dominate 
mobile data connectivity in both the commercial and military arenas because of its very 
high data rate capabilities. The increasingly important role of LTE has increased security 
concerns among the service provider and end users and made security of the network 


even more indispensable. 


The literature related to the LTE network, in particular, that which is related to the 
security issues, 1s reviewed and the security vulnerabilities identified in the available 
literatures are discussed briefly. In this thesis, the LTE specifications are examined and 
several security vulnerabilities of LTE mechanisms, in particular those that exist within 
the Layer 2 protocol of the LTE network, are identified. The identified potential 
weaknesses include malicious modification of the control protocol data unit (PDU) type 
reserve field, prioritized retransmission of traffic data, and malicious modification of the 


power control mechanism. 


In this thesis, the focus is on exploring the power control mechanism for LTE. 
The objectives of power control are to improve the system capacity, coverage and user 
experience, while at the same time reduce the power consumption of the User Equipment 
(UE). Fundamentally, uplink power control for LTE is a combination of an open-loop 
mechanism, where the UE transmit power depends on estimates of the downlink path 
loss, and a closed loop mechanism, where the network directly controls the UE transmit 
power by means of explicit transmitter power-control (TPC) commands transmitted in the 
downlink. This closed loop mechanism is computed dynamically and updated from sub- 
frame to sub-frame. An adversary can inject false power-control commands to control the 


UE transmit power, as shown in Figure 1. 


XVil1 


Measure Estimate path 
it ih tee oo received SINR Keysts 


NV Cote Ti AVA aa @ 
forolanlaarclaremisclleis 
me aaaleltcics Formulate 
explicit TPC 


Receive explicit 


transmit power 
eNodeB command = ona based on power 


ero) alixe)m=108-1t(e) a) 
Wireless 


channel 
Measure aeclasaalimce) 


received SINR =} Nelo {=) 5} 


Action performed Action performed Action performed 
by eNodeB by UE by adversary 


Figure 1. | Modified power control mechanism. 
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The unprotected power control signal together with the Cell Radio Network 
Temporary Identifier (CRNTI) can be exploited to change the intended behavior of the 
UE. The CRNTI provides unique end User Equipment identification (UEID) at the cell 
level and is assigned to the associated UE by the network during the initial establishment 
of uplink synchronization. An adversary can exploit the fact that CRNTI 1s transmitted in 


the clear and misuse it for malicious activities. 


The ways that an attacker can maliciously manipulate the control field of the 
power control mechanism are demonstrated in this thesis. The attacker acts as a 
combination of base station, evolved NodeB (eNodeB), and the UE. Initially, the attacker 
impersonates a UE and connects to the genuine eNodeB to obtain the cell—specific 
reference signal. The attacker at a later stage presents itself as a bogus eNodeB and 
generates false messages to the victim UE. The attacker can perform message injection 
attack on the victim UE in three stages. Stage 1 involves the extraction of messages 
between the victim UE and the eNodeB to obtain CRNTI. Stage 2 involves the 
calculation of the timing advance to synchronize the false message frame to the victim 


UE. Stage 3 involves the injection of false messages with the TPC field adjusted to the 
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designated value to change the behaviors of the victim UE. The correlation and graph for 
the required power of the injected message for varying received false-signal-to- 


legitimate-signal is also derived. 


The effectiveness of such an attack with respect to the victim UEs and adjacent 
eNodeBs are evaluated. The impacts include reduction of battery lifespan of victim UE 


and reduction in reverse channel signal-to-interference ratio (SIR) of adjacent eNodeB. 


The interference generated by the victim UE in a 120-degree sectoring cell is 
examined. A combination of these interferences creates a cascading effect on adjacent 
eNodeBs, and the received SIR at the eNodeB is derived. From the derivation, it is 
observed that SIR is dependent on the power transmitted by the UEs, and Matlab 
simulation is performed to generate the average SIR. It is indicated in the simulation 
results that the received SIR at the eNodeB decreases from a nominal value of 11.7 dB to 


8.3dB when the interfering sources are transmitting at maximum power. 


In general, a modulation and coding scheme (MCS) with a higher throughput 
requires a higher SIR to operate in. The decrease in SIR leads to the adoption of an MCS 
type with a lower throughput. The MCS is lowered from MCS-10, with a corresponding 
maximum throughput of 3.2 bits per second per hertz, to MCS-8, with a corresponding 
maximum throughput of 2.0 bits per second per hertz. The maximum throughput of the 


legitimate UE 1s reduced by 37.5%. 


X1X 


THIS PAGE INTENTIONALLY LEFT BLANK 


XX 


ACKNOWLEDGMENTS 


I would like to thank my thesis advisors, Prof Tri Ha and Prof Weilian Su, for 
their guidance and motivation to complete this thesis. I would also like to thank my 
wonderful wife, Kim Hong, my family, and friends for their continuous support during 


my study in Naval Postgraduate School. 


XX1 


THIS PAGE INTENTIONALLY LEFT BLANK 


XXl1l 


I. INTRODUCTION 


A. BACKGROUND 


“LTE is the next step in user experience, enhancing more demanding application 
such as interactive TV, mobile video blogging, advanced gaming, and professional 
services. Data rates are significantly higher. LTE supports a full [internet protocol] IP- 


based network and harmonization with other radio access technologies.” [1] 


The rapid increase in data usage in mobile communication systems has led to the 
development of fourth generation (4G) wireless technologies, which includes Long Term 
Evolution (LTE) and Worldwide Interoperability for Microwave Access (WiMAX). LTE 
is a Standard developed by the Third Generation Partnership Program (3GPP) Long Term 
Evolution/System Architecture Evolution (LTE/SAE), a consortium ' of 
telecommunications associations formed in order to define communication standards, and 
is specified in the 3GPP’s Release 8 document series, with minor enhancements 


described in Release 9. 


LTE belongs to the GSM path for mobile broadband and evolved after Enhanced 
Data rates for Global Evolution (EDGE), Universal Mobile Telecommunications System 
(UMTS), High Speed Packet Access (HPSA) and HSPA Evolution (HSPA+). The 


evolutionary path 1s illustrated in Figure 1. 


The first release of 3G provided by 3GPP in 2000 is known as “Release 99”. This 
defines the wideband code-division multiple access (W-CDMA) and UMTS standards. In 
2001, a new feature, “all-IP core network’, was added to Release 99, and it evolved to 
Release 4. HPSA includes Release 5 and Release 6. Release 5 introduced the high speed 
downlink packet access (HSDPA) in 2002 and Release 6 introduced the high speed 
uplink packet access (HSUPA) and included more features like multimedia broadcast 
multicast services (MBMS) and integration with wireless local area network (LAN) in 
2005. Release 7 introduced HSPA+ in 2007 and primarily deals with the development of 
specification like latency and quality of service (QoS) improvement and real time 


applications. 


Although the HSPA systems offer significant improvement in performance over 
previous UMTS systems, their designs were limited by compatibility requirement in the 
UMTS specification. In addition, with the emergence of packet-based mobile broadband 
system like WiMAX, it is imperative for 3GPP to develop new standards and mobile 
technologies to ensure competitiveness for the next decade and beyond in order to meet 
the increasing demand of the network services, in terms of higher data rates, reduced 
latency, improved system capacity and coverage. LTE/SAE proposes to fulfill these 
requirements by using an IP converged architecture system which 1s able to work across 
multiple access networks. Thus, LTE was first introduced in Release 8 in 2008, while 
Release 9 is the LTE release with SAEs enhancement and the interoperability of LTE and 
WiMAX. 


The overall high level objective of LTE is to provide an extremely high 
performance radio-access technology that provides full vehicular speed mobility and can 
coexist with HSPA and other previous networks. With the scalable bandwidth 
functionality of LTE, operators are able to migrate their networks and users from HSPA 


to LTE over time with ease. 
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Figure 1. 3GPP family technology evolution. From [2]. 


LTE 1s able to provide unprecedented performance in terms of peak data rates, 
delay, and spectrum efficiency to the network when compared with its predecessors. LTE 
can provide up to 100 Mbps downlink data rate and up to 50 Mbps uplink data; this is 
four times faster than previous HSPA+ data rates. The comparison of peak data rates and 


other parameters between LTE and its predecessors are shown in Table 1. 


Table 1. | Comparison of parameters between LTE and its predecessors. From [3 
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A LTE evolution update report researched and published by Global mobile 





Suppliers Association (GSA) dated January 5, 2012, [4] confirms that 49 LTE operators 
have already launched commercial services. These 49 LTE operators have launched LTE 
networks services in 29 countries, which include Armenia, Australia, Austria, Bahrain, 
Belarus, Brazil, Canada, Denmark, Estonia, Finland, Germany, Hong Kong, Hungary, 
Japan, Kuwait, Latvia, Lithuania, Norway, Philippines, Poland, Puerto Rico, Saudi 
Arabia, Singapore, South Korea, Sweden, UAE, Uruguay, USA, and Uzbekistan. The 


countries with deployed LTE services are shaded in red in Figure 2. 





Countries with commercial LTE service 
Countries with commercial LTE network deployment on-going or planned 
Countries with LTE tral systems (pre-commitment) 


Figure 2. 3GPP LTE evolution country map. From [5]. 
3 


The GSA report also confirms that 285 operators in 93 countries have committed 
to commercial LTE network deployments or are engaged in trials, technology testing or 
studies. This includes the 49 commercial LTE network that are already launched, 117 
deployments that are in progress or planned in 76 countries, and another 59 operators in 


17 other countries that are engaged in LTE technology trials, tests or studies. 


This report suggests that the operators around the world have strengthened their 
commitment and investment in the LTE technology, and GSA forecast that there will be 


119 commercial LTE networks in more than 50 countries by the end 2012. 


The motivations for the growth of interest in LTE are as follows: continued 
competitiveness of the 3G system, user demand for higher data rates and QoS, packet 
switch optimized system, continued demand for reduced Capital and Operational 
Expenditures (CAPEX and OPEX), low complexity, and avoidance of unnecessary 


fragmentation of technologies for paired and unpaired band operation [6]. 


There are several key features of LTE discussed in [7]. These features are access 
scheme, data rate, latency, mobility, spectrum allocation, frequency bands, scalable 
bandwidth, cell size, supported users, internetworking with legacy network, packet 
switched radio interface and support or Multicast-Broadcast Single Frequency Network 


(MBSEN). 


For the access scheme feature, LTE uses orthogonal frequency-division multiple 
access (OFDMA) for the downlink and single carrier frequency-division multiple access 


(SC-FDMA) for the uplink. The major parameters for LTE are shown in Table 2. 


For the date rate feature, the peak download rates can support up to 299.6 Mbit/s 
and upload rates up to 75.4 Mbit/s, depending on the User Equipment (UE) category. 
Five different terminal classes have been defined from a voice centric class up to a high- 
end terminal that supports peak data rates. The download and upload rates for respective 


UE Categories are shown in Table 3. 


For the latency feature, in optimal conditions, the data transfer latency is low at 
sub-5 ms for small IP packets. This 1s lower for handover and connection set-up time than 


with previous radio access technologies. 


For mobility features, there is also an improved support for mobility, exemplified 
by support for terminals moving at up to 350 km/h or 500 km/h depending on the 
frequency band [8]. 


For the spectrum allocation feature, the LTE supports frequency-division 
duplexing (FDD) and time-division duplexing (TDD) communication systems as well as 


half-duplex FDD with the same radio access technology. 


For the frequency bands feature, LTE supports all frequency bands currently used 
by International Mobile Telecommunications (IMT) systems. For the scalable bandwidth 
feature, LTE includes increased spectrum flexibility, with 1.4 MHz, 3 MHz, 5 MHz, 10 
MHz, 15 MHz and 20 MHz wide cells standardized. 


For the cell size feature, LTE supports cell sizes from tens of meters radius 
(femto and picocells) up to 100 km radius macrocells. In the lower frequency bands to be 
used in rural areas, 5 km is the optimal cell size, 30 km having reasonable performance, 
and up to 100 km cell sizes supported with acceptable performance. In city and urban 
areas, higher frequency bands (such as 2.6 GHz in the EU) are used to support high speed 


mobile broadband. In this case, cell sizes may be | km or even less. 


For the supported user feature, LTE supports at least 200 active clients in every 5 
MHz cell [9]. For internetworking with legacy network, LTE supports the inter-operation 


and co-existence with legacy standards. 


For the MBSFN feature, LTE can deliver services such as Mobile TV using the 
LTE infrastructure and 1s a competitor for DVB-H-based TV broadcast. 


Several key enablers are required to achieve the aggressive performance targets of 
the LTE. The identified key enablers for the LTE are orthogonal frequency-division 
multiplexing (ofdm), multiple-input multiple-output (MIMO), and system architecture 
evolution (SAE). [10] 


The OFDM technology is an enabler in LTE because of its capability to transmit 
at high data bandwidth efficiently while providing resilience to reflection and 


interference. OFDMA 1s used in the downlink to achieve high peak data rates in high 


spectrum bandwidth and SC-FDMA is used in the uplink because its small peak-to- 
average power ratio; the more constant power enables high RF power amplifier efficiency 


in mobile handsets, which is an important factor for battery power equipment. 


Table 2. | Major parameter for LTE Release 8. After [6]. 


Uplink DFTS-OFDM 
Access Scheme OFDMA 
Bandwidth 1.4, 3,5, 10, 15, 20 MHz 


Short 
Cyelic prefix length 


Single layer for Uplink per UE 
Up to 4 layers for downlink per UE 
Spatial multiplexing MU-MIMO supported for uplink and downlink 


Table 3. | User equipment categories for LTE Release 8. After [6]. 


Category | | 
Peak rate 
(Mbps) Uplink 


RF bandwidth 


Multi-antenna 


Minimum TTY | fms 
Sub-carrier spacing fo 





Assumed in performance requirements 


Mandatory 


Not supported 


The MIMO technique is an enabler because one of the main problems 





encountered by previous telecommunications systems was that multiple signals arose 
from the many reflections that are encountered along the path. These signals would reach 


the destination at different times and result in a disrupted waveform signal. With the 
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usage of MIMO, these additional signal paths can be used as an advantage to increase the 
throughput. MIMO antenna technology enables ten times as many users per cell as 


3GPP’s original WCDMA access technology [6]. 


Lastly, the SAE enables the system architecture to evolve in order to handle the 
very high data rate and low latency requirements for 3G LTE. One of the significant 
changes to the system architecture is that a number of the functions previously handled 
by the core network have been transferred out to the periphery. This leads to a “flatter” 
form of network architecture and allows direct routing of the data to the destination, 


which in turn reduces the latency times. 


With the superior features that LTE can provide, LTE is the next generation 
wireless data communications standard that is poised to dominate mobile data 
connectivity in both the commercial and military. In the commercial sector, a disruption 
in service due to security reasons can jeopardize the reputation and reduce the revenue of 
the service provider. In the military sector, the integrity and the timely transmission of 


data are of upmost importance. Any compromise may result in failure of the mission. 


Security 1s indispensable for secured communication between users and mobile 
networks. The increasingly important role of LTE has brought about a number of security 
concerns among the service provider and end users. The aim of this thesis is to provide a 


comprehensive analysis on the potential weakness of the LTE protocol. 
B. PROJECT OBJECTIVE 


Security within the LTE system has become extremely important to ensure 
secured communication of the user terminals accessing network services. The security 
and robustness of the LTE standard, especially those of its control channels in Layer 2, 
namely, Radio Link Control (RLC), Medium Access Control (MAC) and Packet Data 
Convergence (PDCP), need to be further examined. 


c. SCOPE OF THESIS 


The scope of the thesis includes the review of the LTE protocol standards and the 


assessment of existing threats to LTE system, followed by an exploration of methods of 


hacking into and manipulating the control channel without the other party's knowledge. 
This thesis research can serve as a starting point to protect, as well as to exploit, protocol 


weaknesses in LTE and, thus, open exploitation space. 
D. APPROACH/STRUCTURE 


The literature related to the LTE network is briefly discussed in Chapter I. In 
particular, available literature related to security issues is reviewed and security 
vulnerabilities are identified. The LTE specifications are examined, and several other 
potential security weaknesses of the features and mechanisms, especially those related to 


the control channels within the LTE network’s Layer 2 protocol, are identified. 


In Chapter III, some of the important technical aspects of 3GPP are discussed. 
Some basic technologies and methods employed in LTE, which include OFDM, 
OFDMA, SC-FDMA and MIMO, are explored. A general overview of LTE architecture, 
the different protocol layers and their interaction within the LTE network, followed by 
the threat model and LTE’s security architecture are presented in Chapter III. Finally, the 
details of sub-layer protocols, namely, RLC, MAC and PDCP within the LTE network’s 


Layer 2 protocol, are elaborated on. 


In Chapter IV, LTE’s power control mechanisms are explored and the unprotected 
power control signal is exploited to conduct attacks on UEs and degrade their intended 
services. The ways that an adversary can maliciously manipulate the power control 
mechanism’s control field in order to sabotage the victim UE are demonstrated. This 


chapter concludes by evaluating the impacts of the attack. 


In Chapter V, the results of the thesis are summarized and the potential research 


issues related to the security of LTE are discussed. 


IH. LITERATURE REVIEW 


A. OVERVIEW 


The majority of research related to LTE began in 2008, after the release of the 
first LTE standard by 3 GPP. As the objective of the thesis is to examine the security and 
robustness of the LTE standard, the literature review is related to materials discussing the 
security aspect of LTE. A relatively small amount of research has been done on the 
security of LTE, and only a limited number of security exploitations in LTE have been 
discussed extensively in the published literature. There is, however, literature that serves 
to provide a background and presents a tutorial overview of proposed security 
mechanisms in Evolved Packet System (EPS), which lists some open security issues and 


key threats in LTE at that time. 


The threats discussed in [11] are the illegal access and usage of user’s and mobile 
equipment’s (ME’)s identities, the tracking of user based on UE’s identity and signaling 
messages, the illegal access and usage of keys used in security procedures, the malicious 
modification of UE parameters to deny UE of normal services, the tampering with the 
system information broadcasted to the Evolved Universal Terrestrial Radio Access 
Network (E-UTRAN), the denial-of-service (DoS) to the UE, and the replaying attacks 
which affect the integrity of data. These threats to the LTE network were not further 
elaborated in [11]. 


B. AUTHENTICATION PROTOCOL AND KEY MANAGEMENT 
ENHANCEMENT IN LTE 


Several researchers have done work to enhance the robustness of the security 


protocol and mechanism in LTE. 


The authors in [12] describe the LTE security architecture and mobility 
procedures related to key management techniques in order to minimize the effects of a 
possible key compromise in the access points. They go on to compare in detail LTE’s key 


management security properties with the session keys context (SKC) concept. The 


authors conclude that LTE could benefit from the SKC type of key management since 
SKC concept is simpler and allows higher key distributor scalability, while the security 


properties are quite similar. 


The authors in [13] survey and compare three authentication protocols candidates: 
Password Authentication Protocol (PAP), Lightweight Extensible Authentication 
Protocol (LEAP) and Extensible Authentication Protocol-Transport Layer Security (EAP- 
TLS) for LTE network. The conclusion is that PAP and LEAP are vulnerable to 
dictionary attacks. EAP-TLS can provide reliable security performance, but has 


considerable overhead. 


The research in [14] examines the weaknesses and strength of the Authentication 
and Key Agreement protocol (EPS-AKA) and identifies the protocol’s potential 
weaknesses. A new authentication protocol, Enhanced EPS-AKA (EAKA), 1s proposed 
which provides full (online) mutual entity authentication between ESIM (Enhanced 
Subscriber Identity Module) and Home Subscriber Server (HSS) and removes the need 


for delegated authentication. 
GC. WEAKNESS OF IP CONVERGED LTE NETWORK 


A survey of security threats conducted in [15] shows that the reason for the 
unexpected service disruption and disclosure of information is the inherent weakness of 
the converged Internet Protocol (IP) architecture of the LTE. The IP network 1s 
susceptible to conventional attacks like IP address spoofing, user ID theft, theft of service 
and DoS and intrusion attacks; these attacks are extended to the LTE network. In 
addition, as mentioned in [16], the network is vulnerable to the known computer network 
attack techniques such as man-in-the-middle (MITM), eavesdropping, Trojan, virus and 
malware. Security vulnerabilities in the IP can jeopardize the entire IP converged LTE 


network. 
D. VULNERABILITIES OF NON-ACCESS-STRATUM (NAS) OF E-UTRAN 


The authors in [40] study the vulnerabilities of the Non-Access Stratum (NAS) of 
E-UTRAN and illustrate attacks that exploit these vulnerabilities. The transmission of the 


unprotected Radio Resource Control (RRC) messages and the transmission of 
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International Mobile Subscriber Identity (IMSI) in plain text without confidentiality and 
integrity protection are discussed in the article. In addition, the CRNTI information in 
Layer | provides attackers the opportunities to track an UE across cells. The exploitation 
of these vulnerabilities allows the attackers to launch efficient and effective DoS attacks 


on the eNodeB. 
E. THREATS EXPLOITING LAYER 2 INFORMATION 


To the best of our knowledge, [17] is the only available reference that deals with 
identifying threats and attacks by manipulating the information in MAC and RRC 
signaling messages. The focus of [17] is on the security and privacy threats in radio 
interface between eNodeB and the UE. There are two identified threats; the first threat 1s 
the tracking of UE location based on the unique CRNTI, cell level measurement reports 
or packet sequence numbers, and the second threat is the message insertion attack in 


UE’s long discontinuous reception (DRX) period. 


The long DRX period allows the UE to periodically switch off the processing 
elements to save on the limited battery power and improves on power consumption’s 
efficiency. However, this introduces extended delays when the UE needs to transmit or 
receive data and may pose a security loophole for the system while the UE 1s “inactive” 
during the long DRX period. The UE is vulnerable to attacks during this period; these 
attacks includes false buffer status report attack which either steal bandwidth by changing 
the packet scheduling behavior or changes the behavior of load balancing /admission 


control algorithms in the eNodeB. 
F. INVESTIGATION OF LTE SPECIFICATION 


Investigation of the LTE specifications revealed that there are vulnerabilities 
within the LTE’s Layer 2 protocol. In this thesis, these vulnerabilities are identified and 
the working principles are discussed briefly. The focus is on exploring LTE’s power 
control mechanism. The ways to exploit the unprotected fields of the power control 


message and attacks to the victim UE are detailed in Chapter IV. 
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Some of the potential vulnerabilities include the malicious modification of control 
PDU type reserve field, the prioritized retransmission of traffic data, and the malicious 


modification of power control mechanism. These are discussed in the following sections. 


1. Malicious Modification of Control PDU Type Reserve Field 


The STATUS PDU is sent by the receiver to feedback on the status of the 
received PDU. The control PDU type field 1s 3 bits and the STATUS PDU 1s indicated by 
000, while 001-111 are reserved. PDUs with this reserved coding will be discarded by the 
receiving entity for this release of the protocol (Release 10). The adversary can 
maliciously adjust the control PDU type field to the reserved value and the recipient will 


not be able to recognize and subsequently discard the STATUS PDU. 


2. Prioritized Retransmission of Traffic Data 


The Radio Link Control (RLC) priority ruling [29] states that “the transmitting 
side of an Acknowledged mode (AM) RLC entity shall prioritize retransmission of RLC 
data Protocol Data Unit (PDUs) over transmission of new AM PDUs.” This implies that 
when the transmitter receive a negative acknowledge on the previously PDU, it will 
retransmit the missing PDU, instead of transmission of new data. This creates an 
opportunity for the adversary to manipulate status update of the victim UE to negative 
acknowledgement. This tricks the transmitter into continuously prioritizing and allocating 


resource for the retransmission and reduces the chance of transmitting the legitimate data. 


3. Malicious Modification of Power Control Mechanism 


The power control mechanism for LTE involves transmission of explicit TPC 
control command to increase or decrease the transmission power of the UE. The 
adversary can exploit the unprotected power control signal to conduct attacks on the UEs 
and degrade their intended services. The impacts include depleting the limited battery 


power of the UE at a faster rate, increasing interference to the neighboring cells. 
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Hl. TECHNICAL BACKGROUND 


Some of the important technical aspects of 3GPP LTE are discussed in this 
chapter. The basic technologies and methods employed in LTE, which include OFDM, 
OFDMA, SC-FDMA, and MIMO, are discussed in the following sections. In addition, an 
overview of LTE architecture and the details of Layer | and Layer 2 protocols followed 
by the LTE security and proposed threat model are presented. This aim of this chapter 1s 
to provide the reader a preliminary background on LTE and aids him/her in 


understanding the problem to be discussed in Chapter IV. 
A. LTE TECHNOLOGY BASICS 


The LTE physical layer employs several advanced technologies to convey both 
control and data information between the eNodeB and the UE. These techniques include 


OFDM and MIMO data transmission. 


1. OFDM 


Most cellular systems prior to LTE used single-carrier modulation schemes. 
Although LTE uses OFDM instead of single-carrier modulation, it 1s imperative to 
understand how the previous single-carrier systems dealt with multipath-induced channel 
distortion and contrast that with OFDM systems. Graphical representations of single- 
carrier transmission and OFDM in the frequency domain are shown and contrasted in 


Figure 3. 


c—> 





39 MHz 


Typically several 100 sub-carriers with spacing of x KHz 


e.g. 5 MHz 
Figure 3. | Representation of single-carrier transmission and OFDM in the frequency 
domain. From [18]. 
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In a communication system, delay spread refers to the amount of time delay at the 
receiver from a signal travelling from the transmitter along different paths [19]. The delay 
caused by multipath transmission can result in a received symbol from a delayed path to 
“bleed” into a subsequence symbol that arrived at the receiver via the direct path. This 
effect is known as inter-symbol interference (ISI) and is shown in Figure 4. In general, 
the single-carrier system symbol time decreases as data rate increases, and it 1s possible 


for ISI to spill into a second or third subsequent symbol at very high data rate. 
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Figure 4. Multipath-induced time delays result in ISI. From [19]. 


Single-carrier systems usually compensate for channel distortion via time domain 


equalization using either channel inversion or equalizers [19]. 


In channel inversion, a known sequence is transmitted over the channel prior to 
sending actual information. As the original signal is known at the receiver, a channel 
equalizer is able to determine the channel response and multiply the subsequent data- 


bearing signal by the inverse of the channel response to reverse the effects of multipath. 


CDMA systems can employ equalizers to resolve the individual paths and then 
combine digital copies of the received signal shifted in time to enhance the receiver 


signal-to-noise ratio (SNR). 


The implementation of channel equalizers is more complex as data rates increase. 
The symbol times are shorter, and ISI is much more severe. The data rates of LTE is up 
to 100 Mbps and delay spreads are about 17 us [19]; thus, the approach of channel 
equalization is unfeasible. Hence, OFDM is introduced, which eliminates ISI and greatly 


simplifies the task of channel compensation. 


LTE system employs OFDM as the downlink transmission scheme due to its 


robustness against frequency selective-fading and narrowband interference. In OFDM, 
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the available bandwidth is spilt into multiple, narrow bandwidth sub-carriers and the data 
is transmitted in parallel steams. Each sub-carrier is then independently modulated using 
conventional modulation schemes such as quadrature phase-shift keying (QPSK), 16 
quadrature amplitude modulation (QAM) or 64QAM and transmitted over the closely 
spaced, orthogonal sub-carriers. A representation of the OFDM signal in the frequency 
and time domain is shown in Figure 5. The problem of ISI is more severe as the data 
transmission rate increases, and this problem occurs because the channel delay spread 1s 


greater than the symbol period when the data is transmitted as a serial stream. 


In OFDM, this problem is avoided by converting the data stream into multiple, 
parallel sub-carriers. This conversion creates an OFDM symbol that is generally much 
longer than the symbol on single-carrier systems and, thus, greater than the channel delay 
spread. In Figure 5, the guard interval, which is the cyclic prefix (CP), is inserted prior to 
the OFDM symbol in the time domain to eliminate ISI due to channel delay spread. The 
use of narrow-band sub-carriers combined with the CP makes the transmission of OFDM 
symbols inherently robust to the time dispersion on the channel and eliminates the need 
for complex channel equalization on the receiver end. This property greatly simplifies the 
processing required for the UE, which in turn reduces the terminal cost and the power 


consumption. 
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Figure 5. | Frequency-time representation of an OFDM signal. From [20]. 


15 


The generation of the OFDM signal is based on the inverse fast Fourier 
transforms (IFFT), as illustrated in Figure 6. As shown in Figure 6, the IFFT converts NV 
frequency domain symbol streams to N complex time domain samples. These time 


domain samples are then serialized to create the time domain signal. 


QAM symbol rate = 
NTs symbols/sec 





Figure 6. OFDM signal generation chain. From [20]. 


The superiority of OFDM to single-carrier systems in term of its ability to 
eliminate ISI is discussed in previous section. OFDM, however, has two primary 
weaknesses when compared to the single-carrier systems. OFDM is sensitive to carrier 


frequency errors and has a large signal peak-to-average power ratio (PAPR). 


One of the problems for OFDM is that it is sensitive to carrier frequency errors 
due either to local oscillator offset or Doppler shifts [19]. Different reference frequencies 
used in the transmitter and receiver can cause inter carrier interference (ICI) and result in 
the loss of OFDM orthogonality. Also, the use of a cost effective local oscillator in the 
UE may cause drifting of frequency and result in carrier frequency offset (CFO), which 
may be greater than sub-carrier spacing. 

Another disadvantage of OFDM is that it has a large signal PAPR. Amplitude 
variations in the transmitted power of the single OFDM symbol are high because the 
OFDM symbol is a combination of all of the sub-carriers, and the power these sub- 
carriers can vary significantly. A high PAPR increases the dynamic range requirement of 
the analog-to-digital and digital-to-analog converters and also reduces the efficiency of 
the transmitter’s radio frequency (RF) power amplifier. The usage of a more expensive 
transmitter capable of accommodating these requirements is often the remedy to the large 


PAPR. 
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2. OFDMA 


In an OFDM transmission scheme, a single user receives all the sub-carriers at 
one time. On the other hand, in an OFDMA transmission scheme, different users can 
receive different subsets of sub-carriers simultaneously. Each user is allocated a specific 
time-frequency resource, where data 1s transmitted over different sub-carriers over a 
certain time period. The transmission scheme can be viewed in term of the time and 
frequency domain. OFDM allocates resources to users in the time domain only, while 
OFDMA allocates resources to users 1n both the time and frequency domains. A contrast 


in the preceding transmission schemes 1s illustrated in Figure 7. 


Frequency domain 
Frequency domain 











Time domain Time domain 
OFDM OFDMA 


Figure 7. Contrast between transmission schemes of OFDM and OFDMA. From [18]. 


3. SC-FDMA 


OFDMA is able to fulfill LTE’s high transmission data rate requirement while 
eliminating ISI in the downlink as discussed in the previous section. The properties of 
OFDMA signals, in particular the high PAPR, result in poorer uplink coverage. This 


property makes it less favorable as an uplink transmission scheme for LTE. 


SC-FDMA is selected as the LTE uplink transmission scheme since it can achieve 


the benefits that OFDM brings to LTE because of similarities in the signal processing 
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properties of both transmission schemes. At the same time, SC-FDMA has a low PAPR. 
This low PAPR characteristic 1s especially important for the design of a cost-effective 


power amplifier for the UE. 


The principle of discrete Fourier transform (DFT)-spread-OFDM is used to 
generate the SC-FDMA signal as illustrated in Figure 8. The process is that an N-point 
DFT 1s first input to a block of modulation data symbols in order to transform these 
modulation symbols into frequency domain. The output of the transformed signal is then 
mapped to the available sub-carriers, which then pass through an /-point IFFT operation 
block. This is followed by parallel-to-serial conversion and the addition of CP. There are 
two main schemes to implement the sub-carrier mapping, namely localized and 
distributed. In a localized scheme, each user uses a set of adjacent sub-carriers to transmit 


data. In a distributed scheme, each user uses sub-carriers that are spread across the entire 


bandwidth. 


Time Domain Frequency Domain Time Domain 








coded symbol rate R Subcarrier 
N, symbols Mapping 


CP 
Insertion 


JEUSS/|A/EJEd 


Figure 8. | SC-FDMA signal generation chain. From [18]. 


In OFDM, each data symbol is modulated to each sub-carrier individually at a 
given instant, and the digital modulation represents the amplitude of the respective sub- 
carrier. Each sub-carrier of an OFDM signal carries information related to one specific 
symbol. In contrast, in SC-FDMA, a linear combination of all the transmitted data 
symbols at a given instant is modulated to a given sub-carrier, and all the transmitted sub- 
carriers of the SC-FDMA signal carry a component of respective modulated data 
symbols. Thus, each sub-carrier of the SC-FDMA signal carries information of all the 
transmitted symbols. The representation of OFDMA and SC-FDMA signals are shown in 
Figure 9. 
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fi, & fy frequency 1, RE & fF, th «© frequency 


(a) OFDM subcarriers (b) DET-s-OFDM subcarriers 


Figure 9. Representation of OFDM and SC-FDMA signals. From [18]. 


4. MIMO Concept 


MIMO technology is one of the key enablers for LTE to achieve the ambitious 
requirement for high throughput and spectral efficiency through the use of multi-antenna 
techniques at both the transmitter and receiver in the network. The improved performance 
is achieved without additional bandwidth or increased transmission power. This is made 
possible by dividing the same total transmission power over the multiple antennas to 
achieve an array gain that improves the spectral efficiency (more bits per second per hertz 


of bandwidth) or to achieve a diversity gain that improves the link reliability [19]. 


On a high level, LTE multi-antenna transmission can be divided into two modes, 
namely spatial multiplexing and transmit diversity. Spatial multiplexing uses non- 
orthogonal MIMO codes to increase the bandwidth, while transmit diversity uses 
orthogonal MIMO cods to increase power while preserving bandwidth. The use of one 


MIMO mode or another depends on the radio channel condition. 


Spatial multiplexing is a technique that allows transmission of multiple, different 
data streams simultaneously on the same downlink resource block and is only possible if 
the channel allows it [20]. These data streams can belong to a single user, which 
significantly increases the peak rate of one user. These data streams can also belong to 
different users, which increase the overall capacity. The principle of spatial multiplexing 
is illustrated in Figure 10. As shown in Figure 10, spatial multiplexing exploits the 


channel’s spatial dimension. The transmitted data stream go through a channel, which 
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consists of all N,N, paths between the N; transmit antennas at the transmitter and the WN, 
receive antennas at the receiver. This channel can be represented by the channel matrix 
H, where h, represents the complex gain of the channel between the jth transmitter and 


the ith receiver, as shown in Figure 11. 


Original data stream 
010110 


010110 





Figure 10. Principle of spatial multiplexing. From [20]. 


1] z 
H _ h, ] h at hy, 





Miypy  MAypa ees Aye | 
Figure 11. Channel matrix H. From [21]. 


On the other hand, transmit diversity can be used to increase the robustness of the 
data transmission instead of increasing the data rate. Transmit diversity is a technique for 
coherently adding the signals received from two transmit antennas. As the antennas are 
physically separated, different channel impulse responses reduce the impact of deep 
fading that occurs on each of the antenna, respectively, thereby enhancing the link 


reliability. 
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5. Generic Frame Structure 


LTE physical layer transmission is deployable in two modes: frequency-division 
duplexing (FDD) and time-division duplexing (TDD), each of which has its own frame 
structure. The frame structure defines the frame slot and symbol in the time domain. 
Although the uplink and downlink data transmission schemes are different, they share a 


common frame structure. 


Frame structure type 1 is defined for FDD mode, and the structure is as shown in 
Figure 12. The LTE data transmission is segmented into frames which are 10 ms in 
duration. Each frame consists of 10 sub-frames, and each sub-frame is further divided 


into two slots period of 0.5 ms duration each. 


One radio frame, T, = SO07200 x T. = 10ms 





i One slot. T.,, = 15360 xT, = 0.5 ms 
eo 
































Qing sublrame 





subframe 0 gubframe 1 subframe 9 


Figure 12. LTE frame structure type 1. From [22]. 


Frame structure type 2 is defined for TDD mode and is shown in Figure 13. The 
LTE data transmission is also segmented into frames which are 10 ms in duration. Each 
frame consists of two half frames. The half frame is further divided into four sub-frames 
and a special sub-frame, or five sub-frames depending on the downlink to uplink switch 
point periodicity. The special sub-frames consist of three fields: Downlink Pilot 


Timeslot (DWPTS), Guard Period (GP) and Uplink Pilot Timeslot (UpPTS). 


The frame structure of TDD can exist in seven different sub-frame format 
configurations, with sub-frames 0 and 5 and DwPTS always reserved for downlink 
transmission. The sub-frame that follows after the special sub-frame and UpPTS is 


assigned to uplink transmission. The various uplink-downlink configurations are shown 
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in Table 4, where D denotes a sub-frame reserved for downlink transmission, U denotes a 


sub-frame reserved for uplink transmission, and S denotes the special sub-frame. 


Cine radio fame, T, = 3207200 x Te =10 ms 


> One hat-frame, 153600 x T, = 5 ms 





One subframea, 30720 47, = 1 ms : One slol, Ta. = 15360 xT, = 0.5 ms 





OwPTs | UpPTs DwPTS UpPTS 


Guard period (suard peoriced 


Figure 13. LTE frame structure type 2 (5 ms switch point periodicity). From [22]. 


Table 4. © Uplink-downlink configuration for LTE frame structure type 2 [22]. 


Uplink-downlink Downlink-to-Uplink Subframe number 
configuration | Switch-point periodicity |0/1/2/3|4,5|6/7|]8]|9| 





6. Physical Resource Block 


A physical resource block (PRB) is the smallest element of resource allocation 
assigned by the base station scheduler [23]. LTE is a system with scalable bandwidth. 
The current LTE specification defines six sets of supportable bandwidth from 1.4 MHz to 
20 MHz with the corresponding PRBs required as shown in Table 5. Each PRB consists 
of 12 consecutive sub-carriers of constant spacing of 15 kHz each, occupying a total 
bandwidth of 180 kHz. A downlink slot consists of seven OFDM symbols when normal 
CP is employed or six OFDM symbols when long CP is employed. A resource block 
comprises of seven columns of OFDM symbols and 12 rows of sub-carriers, which 


constitutes 84 resource elements, as shown in Figure 14. 


Z2 


Table 5. | Resource block configuration for different channel bandwidths. From [24]. 


Channel bandwidth 
BW channe [MHZ] 


Transmission bandwidth 
configuration Nes 





1 subframe = 1 ms = 14 OFDM symbols 
(normal cyclic prefix) 





1 slot = 0.5 ms = 7 OFDM symbols 
(normal cyclic prefix) 


Resource Block 
(12 subcarriers in frequency 
domain, 1 slot in time domain) 


Resource Element 
| (k, I) 


Subcarmers (numbered with index k) 


7 
il 
o 


l=0 
——————————————_—_———_—_—_—_—— 
OFDM symbols (numbered with index I) 


Figure 14. | Downlink resource grid. From [24] 


7. Supportable Frequency Bands 


The LTE specifications inherited the frequency bands defined for UMTS and 
extended the list as shown in Table 6, where each E-UTRAN operating band with its 


corresponding uplink and downlink operating band and duplex modes are displayed. 
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Table 6. | LTE operating band. From [24]. 


E-UTRA Uplink (UL) operating band Downlink (DL) operating band 
Operating BS receive BS transmit 
Band UE transmit 


1850 MHz — 1910 MHz 
pS PIO MHz — 1785MHz | 1805 MHz — 1880MHz | FOD | 
p24 MHz — B49MHz | BGG MHz — 884MHz | FOD | 


2500 MHz — 2570 MHz 


1740.0MHz — 1784.0MHz | 1844.0 MHz 
| OT FTO Me - 1770MHz | 2110 MHz 
1427.8MHz — 1447.9MHz | 1475.9MHz — 
| 12 | MHe - 7IGMHz = | f29MH2 - T46MHz | FDO | 
[13 | 777MHz_— 7e7MHz | _746MHz — 766MHz | FOD 
| ia | BB MH2 - 798MHz | f58MH2 —- 768MHz | FDO | 
| 15 | CReservved—ittsté“‘(*dLSCOOCRRServed tt t—“‘;SC#dSCOUCWCODSC=*" 
20 71 MHz_— 821 MHz 
71 1447.9MHz — 1462.9MHz | 1495.9MHz — 1510.8 MHz 
22 

2000 MHz — 2020 MHz 
24 
a ee 


3 


1910MHz — 1930 MH 


| 








40 | 

4 
4400 MHz —-— 3600 MHz 3400 MHz - 3600 MHz 

S000 MHz — 3800 MHz S000 MHz —-— 3800 MHz 

NOTE 1: Band 6 is not apr 
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B. LTE NETWORK ARCHITECTURE OVERVIEW 


The high-level view of the LTE architecture network is shown and the interaction 


of the various elements and interfaces are illustrated in Figure 15. 


The architecture of the LTE is comprises of three main building blocks. They are 
the UE, E-UTRAWN and the Evolved Packet Core (EPC). 


The UE is a mobile unit that allows a user to access network services, connecting 


to the E-UTRAN via the radio interface. 


The E-UTRAN consists of eNodeBs, which is another name for base stations, and 


provides the user-plane (PDCP, RLC, MAC and physical layers) and control-plane 
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(RRC) protocol terminations towards the UE. The eNodeBs are typically interconnected 
to each other by the X2 interface, enabling direct communication. The EUTRAN is 
connected to the EPC by means of the S1 interface, and this connects the eNodeBs to the 
mobility management entity (MME) and serving gateway (S-GW) elements. 


The EPC is the core network in the LTE/System Architecture Evolution (SAE) 
system and is responsible for overall control of the UE and establishment of the bearers, 
which are the traffic flows between the UE and the Packet Data Network Gateway (P- 
GW). The EPC is comprised of logical nodes, namely, P-GW, S-GW and MME. 


External IP networks (internet, corporate 
networks, operator services) 





EPC 
"| E-UTRAN 


Le ee ee Cz la ft la CU 5 meee eee ees eel lle lees clr 


Figure 15. High level architecture of LTE. After [25]. 
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The functional split between the E-UTRAN and EPC 1s shown in Figure 16. The 
yellow boxes in Figure 16 represent the logical nodes, white boxes represent the 
functional entities of the control plane, and the blue boxes represent the radio protocol 


layers. 


ME 





E-LUITRAN 


Figure 16. Functional split between the E-UTRAN and EPC. From [26]. 


The functions of the logical node eNodeB include radio resource management, IP 
header compression and encryption of user data stream, the selection of an MME, the 
routing of user plane data towards S-GW, the scheduling and transmission of paging 
message, broadcast information and public warning system messages, the measurement 
and measurement reporting configuration for mobility and scheduling, closed subscriber 
group (CSG) handling that allows a permitted group of user to access a particular cell, 


and a transport level packet marking in the uplink. [26] 


The functions of the logical node MME are non-access stratum (NAS) signaling 


(1.e., the signaling between the protocols that operates between UE and the Core Network 
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(CN)), NAS signaling security, access stratum (AS) security control, and inter-CN node 
signaling for mobility between 3GPP access networks. [26] 


The functions of the logical node S-GW include acting as the local mobility 
anchor point for inter-eNodeB handover and mobility anchoring for inter-3GPP mobility, 
E-UTRAN idle-mode downlink packet buffering and initiation of network triggered 


service request procedure, lawful interception, and packet routing and forwarding. 


The functions of the logical node P-GW consist of per-user based packet filtering, 
lawful interception, UE IP address allocation, transport level packet marking in the uplink 
and the downlink, and uplink and downlink service level charging, gating and rate 
enforcement. 

A comprehensive list of the functions offered by the logical nodes can be found in 


3GPP 36.300. [26] 


The user plane protocol stack consists of MAC, RLC and PDCP sub-layers that 
are terminated at eNodeB as shown in Figure 17. The functions of these sub-layers are 
discussed in the following sections. The control plane protocol stack is similar to user 
plane protocol stack, with the exception of additional Radio Resource Control (RRC) 
sub-layer terminated at eNodeB and NAS protocol terminated at MME, as shown in 
Figure 18. 














































































































































































































































































































































































































































































































































































































































































































































































































































































































































































































































































































































































































































































































































































































































































































































































































































































































































































































































































































































































































































































































































































































































































































































































































































































































































































































































































































































































































































































































































































































































































































































































































































































































































































































































































































































































































































































































































































































































































































































































































































































































































































































































































































































































































































































































































































































































































































































































































































































































































































































































































































































































































































































































































































































































































































































































































































































































































































































































































































































































































































































































































































































































































































































































































































































































































































































































































































































































































































































































































































































































































































































































































Figure 17. | User plane protocol stack. After [26]. 
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Figure 18. Control plane protocol stack. After [26]. 


CU; NETWORK AND PROTOCOL ARCHITECTURE 


The relationships of the IP packet with the Protocol Data Unit (PDU) and Service 
Data Units (SDU) at the respective layers are illustrated in Figure 19. In a data 
transmission from the eNodeB to the UE, each protocol layer receives a SDU from higher 
layer and appends the respective layer header to form and send the PDU to the lower 
layer. In this study, the main focus is on the Layer 2 protocol. The PDCP, RLC and MAC 
layers together constitute the Layer 2. 


| | | (meet -~— IP Packets 
UE 
PDCP SDs ; 
be i i i 
PDCP A “, 
Packet Data Convergence : rie J Bac — Bae Ri 
Protocol PDCP PDUs } | & | | | | 
mae RLC SDUs Se a . 
a : = ' ; 715 oh, =. 2 Dees 
Radio Link Control RLC PDUs | ; 
MAC SDUs | 
MAC 


Medium Access Control : | | 
MAC PDUs | 


PHY 
Physical Layer 





Each sub-frame 
contains 14 OFDM 





, #— Subframe * 
sobs ——_§_@———  Oneradio frame =10r%% ——~ 


Figure 19. Transmission of data in LTE downlink in time domain. From [27]. 
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1 MAC[28] 


The MAC layer is mainly responsible for managing the mapping of logical 
channels to the appropriate transport channels and the multiplexing and de-multiplexing 
MAC SDwUs between the physical and RLC layer. The various logical and transport 
channels within LTE standard are illustrated in Figure 20 and Figure 21, respectively. 
The supported mappings between these logical and transport channels for the downlink 
are displayed in Figure 22, while those for the uplink are displayed in Figure 23. The 
main transport channel for the downlink 1s DL-SCH while that for uplink 1s UP-SCH, as 
shown in Figure 22 and 23, respectively. Other functions performed by MAC are the 
hybrid automatic repeat request (HARQ) for retransmission function, scheduling 
information reporting, and priority handling between UEs by means of dynamic 
scheduling, priority handling between logical channels of one UE, logical channel 


prioritization, and transport format selection. 





Figure 20. Logical channels in LTE. After [28]. 
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Figure 21. Transport channels in LTE. After [28]. 
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Figure 22. Downlink mapping of logical to transport channels in LTE. From [29]. 


The physical channels defined in LTE include the physical broadcast channel 


(PBCH), which carries part of the system information required by the terminal in order to 
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access the network. The physical downlink shared channel (PDSCH) 1s used for unicast 
transmission and for transmission of paging information. The physical downlink control 
channel (PDCCH) 1s used for downlink control information, mainly scheduling decisions 
and for scheduling grants enabling transmission on the physical uplink shared channel 
(PUSCH). The physical hybrid-ARQ indicator channel (PHICH) carries the hybrid-ARQ 
acknowledgement to indicate to the terminal whether a transport block should be 
retransmitted or not. The physical control format indicator channel (PCFICH) 1s a 
channel providing the terminals with information necessary to decode the set of 
PDCCHs. The physical uplink shared channel (PUSCH) is the uplink counterpart to the 
PDSCH. The physical uplink control channel (PUCCH) 1s used by the terminal to send 
hybrid-ARQ acknowledgements, indicating to the eNodeB whether the downlink 
transport block(s) was successfully received or not, to send channel-status reports aiding 
downlink channel-dependent scheduling, and for requesting resources to transmit uplink 
data upon. Finally, the physical random access channel (PRACH) is used for random 


access. [29] 


CCCH DTCH DCCH 
Logical 
channels 


Transport 
channels 


Physical 
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PUSCH PUCCH PRACH 


Figure 23. Uplink mapping of logical to transport channels in LTE. From [29]. 


2, RLC [30] 


The RLC layer is the interface between the upper layers to the MAC layer as 


illustrated in Figure 24. The RLC layer at the transmitter end is mainly responsible for 
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performing segmentation of RLC SDUs, where the IP packet is formatted to a 
manageable size suitable for transmission at lower layer. The RLC layer at the receiver 
end is responsible for the reassembly of RLC PDUs, where the PDU 1s formatted to fit 
the MAC SDU. The RLC PDU structure is shown in Figure 25. RLC also performs the 
reordering of RLC PDUs, duplicate detection and protocol error correction through 


Automatic Repeat Request (ARQ). 


The RLC layer provides three different modes: acknowledged, unacknowledged 


and transparent for data transfer. 


The functions of the acknowledged mode are as follows: the segmentation and 
reassembly of RLC SDUs, the addition of RLC headers, the reliability in sequence 


delivery service, and the suitability for carrying transmission control protocol traffic [31]. 


The functions of unacknowledged mode are as follows: the segmentation and 
reassembly of RLC SDUs, the addition of RLC headers, no guarantee of delivery, and the 
suitability for carrying streaming traffic [31]. 

In the transparent mode, there is no segmentation and reassembly of RLC SDUs, 


no RLC headers added, no guarantee of delivery, but it is suitable for carrying voice [31]. 


S4\P belween 
upper layers 


Lransimitting receiving Lransmit ting recelving 


TM PLC entity TMRLC entity UM RLC entity UM RLC entity BEE BE eNB 


logical 
channel 


lower layers 





radio interface 


lower layers 


logical 
channel 


recening transmitting recering transmitting . . 
: ie as 7 AM RLG entity JE 


TM RL entity TMRLC entity UM RLC entity UM RL entity 


SAP bebweern 
upper layers 





Figure 24. Overview model of RLC sub-layer. From [30]. 
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Figure 25. RLC PDU structure. From [26]. 


3.  PDCP [31] 


The PDCP layer is mainly responsible for transfer, ciphering and deciphering of 
user plane and control plane data. This layer also performs header compression and 
decompression of IP data flows using the Robust Header Compression (ROHC) 
protocols. Other functions performed by PDCP are integrity protection and integrity 
verification of control plane data, maintenance of PDCP serial numbers, timer based 


discard and duplicate discarding. The functional view of the PDCP layer is shown in 


Figure 26. 
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Figure 26. Functional view of PDCP layer. From [30]. 
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4. RRC [33] 


The RRC layer is part of the LTE air interface control plane. This layer is 
responsible for the broadcast of system information related to both the NAS and AS. It 
performs RRC control such as paging, establishment, modification and release of RRC 
connection, radio configuration and Quality-of-Service (QoS) control. Other functions 
performed by the RRC layer are: inter- radio access technologies mobility, measurement 
configuration and reporting, generic protocol error handling and support of self- 


configuration and self-optimization. 
D. THREAT MODEL 


The proposed threat model for the LTE network is shown in Figure 27. In this 
model, three elements are identified as being vulnerable to attack and are indicated by 
the red arrows in Figure 27. These elements are the air interface between the UE and the 
eNodeB, within the eNodeB, and the Internet protocol linkage between eNodeB and the 
S-GW. There is literature, as mentioned in Chapter II, that discusses the inherent 
weakness of the IP network, and these weaknesses are susceptible to attacks from 
Element 3. Thus, we will not discuss Element 3. Element 2, eNodeB, 1s typically 
susceptible to physical attacks. We assume that the premises are secure and do not 
discuss Element 2 either. The focus of this thesis is to study the possible attacks coming 
from Element 1, which is the air interface between the UE and eNodeB. The objective is 
to identify and exploit the unprotected control signaling between the UE and the eNodeB 


and cause disruption or degradation of services to the UEs. 
E. LTE SECURITY 


The LTE security architecture 1s designed to provide strong protection for control 
signaling and the user data traffic exchanges between the different entities of the LTE. 
The LTE architecture supports two distinct functions for the NAS and AS. The NAS 
function comprises of end-to-end communication between the core network and the UE. 


The AS function comprises of hop-by-hop communications between the network edges. 
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Extemal IP networks (internet, corporate 
networks, operator services) 





Figure 27. Threat model for LTE network. After [25]. 


1. Control Plane Security 


The LTE entities and the signals to secure the control plane interfaces are shown 
in Figure 28. The control plane consists of NAS signaling between the UE and the 
eNodeB, RCC signaling between the UE and the eNodeB, and S1-AP signaling between 
the eNodeB and the MME. These signals are established between the entities and are 
indicated in yellow boxes as illustrated in Figure 28. Encryption and integrity protection 
of the NAS signaling is carried out in the NAS layer, while encryption and integrity 
protection of the RRC signaling is performed at the PDCP layer. IP Security (IPSec) 
tunneling is established between eNodeB and MME to carry the S1-AP signaling. 
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Figure 28. Control plane layered security. After [34]. 


2, User Plane Security 


The LTE entities and mechanisms to secure user data traffic within the user plane 
are shown in Figure 29. The user plane is protected by application protection between the 
UE and the application server, user data protection between UE and the eNodeB and user 
data protection between eNodeB and SAE-GW. These protections are established 
between the entities and are indicated in yellow boxes as illustrated in Figure 29. 
Application providers are required to provide application layer protection between the 
UE and the application server. User data protection between UE and the eNodeB 1s 
provided using encryption and integrity protection at the PDCP layer, while user data 
protection between eNodeB and SAE-GW is provided by established IPSec tunneling 
[34]. 
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Figure 29. User plane layered security. After [34] 
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IV. POTENTIAL WEAKNESS OF LTE SECURITY 


Three important metrics of a mobile network are data throughput, delay, and 
power. The exploitation of the weaknesses in the protocol and the service mechanism that 
causes service disruption or degradation on these three metrics are discussed in this 
chapter. The disruption is typically achieved by exhausting the system’s limited 
resources. In this paper, the LTE’s power control mechanisms are explored, and the 
unprotected power control signal is exploited in order to conduct attacks on UEs and 
degrade their intended services. 

The background on the cell type structure used by the LTE network, the 
interference experienced by UEs and eNodeB, and the power control mechanism utilized 
by LTE are presented in the following sections. The ways that an adversary can 
maliciously manipulate the control field of the power control mechanism to sabotage 
victim UEs are demonstrated. The impacts of an attack on the victim UE, as well as the 


neighboring eNodeB are evaluated at the end of the chapter. 
A. CELL TYPE 


In this study, the LTE is assumed to operate in network cell with 120-degree 
directional antennas, (1.e., each with three sectors per site/cell) with the base station in the 
center of cell. This is in contrast with the classic network with omni-directional antennas, 
which introduce more interference. The diagram of the 120-degree directional antenna 
lobe for one cell sector is shown in Figure 30, while the diagram of a network cell set-up 
with 120-degree directional antenna and adjacent cells is shown in Figure 31. In Figure 
31, the different numbers represent the frequency channel band that users 1n the particular 


sector are using. 
B. INTERFERENCE 


The two types of interference considered include inter-cell and intra-cell 
interference. Inter-cell interference 1s generated when the same carrier frequency is used 
in adjacent cells. Intra-cell interference can arise in systems with non-orthogonal 


channelization within the same cell. The main interference to the eNodeB is due to inter- 
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cell rather than intra-cell interference. The amount of interference to the neighboring UEs 
within the same cell is effectively minimized in the ideal case since the LTE uplink 1s 
orthogonal. However, there is a substantial amount of inter-cell interference to the 
eNodeB from neighboring cells since adjacent cells have same frequencies assignments. 
Generally, the closer a UE is to the neighboring cell, the stronger the generated 


interference to that neighboring cell. 
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Figure 30. Center cell antenna bearing orientation diagram. From [20]. 





Figure 31. Diagram of the network cell set-up with 120-degree directional antenna. After 
[35]. 
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C. UPLINK POWER CONTROL 


Uplink power control for LTE refers to a set of tools by which the transmit power 
for different uplink physical channels and signals are controlled to ensure that they are 
received at the cell site with an appropriate power. The objectives of power control are to 
improve the system capacity, coverage, and user experiences while at the same time 
reduce the power consumption of the UE. In order to fulfill these objectives, power 
control mechanisms are used to maximize the desired received power signal and to 
minimize the amount of interference caused to the neighboring cells. 

Fundamentally, the power control formula consists of two main portions. The first 
part is computed according to the parameters signaled by the eNodeB. The second part is 
computed dynamically and updated from sub-frame to sub-frame. 

The overall closed loop power control for PUSCH transmission can be described 
according to [36]. This transmitting power Pr is set at the UE using the parameters 
signaled by the eNodeB and is calculated as 

P, =mintP,,,% +aPLy, +10log,,(7)+A,,,, +o} [dBm] (1) 


ax ? 


where Pg, 18 the maximum allowed transmit power of the particular UE class; P, is a cell 
specific parameter that is broadcast as part of the system information, also seen as desired 
received power; a is the path loss compensation factor; PLp; 1s the downlink path loss 
estimated by the UE; / is the instantaneous bandwidth in terms of number of physical 
resource block (PRB); Ames 1s the different SINR required for the different modulation 
schemes and coding rates; and o is the explicit power control adjustment command. 

Since Ping, 18 fixed, and the second term of the min function in Equation (1), 1.e., 
P,t+aPLp,+10logio(M)+ Ames+6, 18 variable, the UE transmit power is limited by Pingy. 
In addition, the UE transmit power takes the lower value of the function in Equation (1). 

To study the impact on the inter-cell interference to the eNodeB, some 
assumptions and simplifications on the parameters used in Equation (1) are made. In 
particular, Ping, 1S fixed at 23 dBm [24]; P, is assumed to be constant; a is assumed to be 
1 with full compensation of path loss and is equal for all cells. In addition, the parameters 
PLpz, M and Aincs are assumed constant, and finally, 6 is maliciously set to its maximum 


value. 
4] 


To better appreciate the parameters involved in Equation (1), they are illustrated 
in Figure 32. The parameters P, and a are signals that are broadcast at periodic intervals 
of 160 ms. The parameter 6 is the explicit power control command signal from the 
eNodeB to the UEs at periodic intervals of 1 ms and constitutes to the dynamic part of the 
power control equation. The typical use of the explicit power control command is to 
compensate uplink multipath fading, which 1s not reflected in the downlink path loss. The 
parameter PLp; is the path loss estimate calculated by the UE. This downlink path loss 
can be estimated by measuring the received power of the downlink cell-specific reference 


signals. The parameter Ping, 1S the maximum allowed transmit power of the UE. 
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Figure 32. Power control parameters transmitted from eNodeB to UE. 
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1. Closed Loop Power Control Mechanism (Normal) 


Uplink power control for LTE is a combination of an open-loop mechanism, 
where the UE transmit power depends on estimates of the downlink path loss, and closed 
loop mechanisms, where the network can directly control the UE transmit power by 
means of explicit power-control commands transmitted in the downlink. 

The closed loop power control mechanism allows the UE to fine-tune the uplink 
transmit power based on the transmitted closed loop correction value known as the 
transmit power control (TPC) command. The TPC command is computed based on the 
desired closed loop signal-to-interference and noise ratio (SINR) and the measured 
(estimated) recetved SINR at the UE. When the received SINR is below the desired 
SINR target, a TPC command is transmitted to the UE to request for an increase in the 
transmitter power. If not, a decrease in transmitter power is requested. The computation 
and the steps involved in the closed loop power control are illustrated in Figure 34. In 
Figure 34, the boxes shaded in blue are actions performed by the eNodeB, while those in 


brown are actions performed by the UE. 
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Figure 33. Block diagram of steps involved in the closed loop power control mechanism. 
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The objectives of the closed loop power control to provide the required SINR are 
to achieve an acceptable level of communication between the eNodeB and the UE and to 
reduce the amount of interference received by the neighboring cells. At the same time, 
power control aids in optimizing the limited battery power of the UE and achieves power 


efficiency. 


2 Closed Loop Power Control Mechanism (Modified) 


A malicious adversary can modify the TPC field to a large value during the 
feedback loop transmission from eNodeB to UE as shown in Figure 34. In Figure 34, the 
boxes shaded in red are actions performed by the malicious adversary. When the TPC 
command field is adjusted to 7, corresponding to a value of 8 dB, this can increase the 
transmit power to Ping, according to Equation (1) and trick the UE into transmitting power 


at a higher power level. The respective TPC commands and values are shown in Table 7. 
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Figure 34. Closed loop power control modified by adversary. 
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Table 7. | TPC commands with their corresponding values. From [36]. 


TPC Command Value (in dB 


6 
4 
2 
2 
8 





In the case of PUSCH transmission, the explicit power control command 
controlling the term o is included in the 20 bits uplink scheduling grants (UL grant). The 
content of the 20 bits uplink scheduling grants is as shown in Table 8. 


Table 8. | Content for uplink scheduling grants. From [36]. 


TPC command for scheduled PUSCH 





The UL grant field is in the MAC Random Access Response (MAC RAR), which 
also consists of three other fields: R, Timing Advance Command and Temporary CRNTI 
as shown in Figure 35. A MAC PDU consists of a MAC header and zero or more MAC 
RAR as shown in Figure 36. 
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Figure 35. Structure of MAC RAR. From [28]. 
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Figure 36. MAC PDU consisting of MAC header and MAC RARs. From [28]. 


D. SCHEDULING GRANT 


The uplink scheduling grant which includes the PUSCH resource indication, 
transport format, and the command for power control of PUSCH uplink physical channel 
is carried as Downlink Control Message (DCI) by the Physical Downlink Common 
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Control Channel (PDCCH). To aid in understanding how to modify the TPC field in the 
uplink grant, it is imperative to study how this information is carried in the downlink 


control channel. 


I, Downlink Control Signaling 


Downlink control signaling is carried by three downlink control channels, namely, 
the Physical Control Format Indicator Channel (PCFICH), the Physical Hybrid-ARQ 
Indicator Channel (PHICH), and the Physical Downlink Common Control Channel 
(PDCCH). Downlink control signaling is located at the start of each downlink sub-frame, 
which spans up to the first three OFDM symbols. 


The PCFICH indicates the size of the control region in term of the number of 
OFDM symbols used for control signaling and is located in the first OFDM symbol of the 
respective sub-frame. The PCFICH consists of two bits of information which correspond 
to a control region size of one, two or three OFDM symbols. These two bits of 
information are coded into a 32-bit codeword, scrambled with cell-and sub-frame- 
specific scrambling code, QPSK-modulated for the transmission of 16 symbols. These 16 
symbols are then mapped to four Resource Element Groups (REGs) where each REG 
contains four Resource Elements (REs). These REGs are spread in frequency to achieve 
good frequency diversity. The overall processing of PCFICH 1s illustrated in Figure 37. 
The PCFICH-to-resource-element mapping depends on the cell identity to mitigate the 


probability of inter-cell interference. 


16 
symbols 








Figure 37. Overview of PCFICH processing. From [29]. 
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The PHICH consists of one bit of information and 1s used to acknowledge the 
uplink data transmission. It is located in the first OFDM symbol of the respective sub- 
frame. The PHICH is spread on multiple REs to mitigate the power differences among 
the REs and to provide sufficient energy for the transmission. In LTE, a structure is 
adopted whereby several PHICHs are code multiplexed onto a set of REs as illustrated in 
Figure 38. A PHICH group consists of eight PHICH (in case of normal cyclic) and is 
transmitted on the same set of REs. As shown in Figure 39, the one bit of information for 
the acknowledgement is repeated three times to form three information bits. It is then 
modulated with binary phase-shift keying (BPSK) scheme on either the I or the Q branch, 
followed by the spreading with a length-four orthogonal sequence. A composite signal 
representing the group of PHICH is formed and scrambled. The twelve scrambled 
symbols are then mapped to three REGs. These REGs are spread across frequency to 


achieve good frequency diversity and to avoid inter-cell interference. 
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Figure 38. Overview of PHICH structure. From [29]. 


The PDCCH is used to convey the DCI, including the downlink scheduling 
assignments, uplink scheduling grants and power-control commands. The PDCCH is 
mapped onto resource elements in one, two or three OFDM symbols 1n the first slot of a 
sub-frame and is sent at every sub-frame interval. The message size of DCI depends on 
the purpose of the control message. The DCI 1s defined into different DCI formats based 


on sizes and usages and is summarized in Table 9. 
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Table 9. | DCI format with corresponding usage. From [29]. 


Usage 
Relative DCI size Uplink grant Downlink assignment Power control 
Small ~ IC Small contiguous allocations - 
0 1A Contiguous allocations only 3, 3A 


- 1B Contiguous allocations with spatial - 
multiplexing 
- | Flexible allocations, no - 
spatial multiplexing 
Large - 2 Flexible allocations, full - 


spatial multiplexing 


A PDCCH is transmitted on one or a group of several consecutive control channel 
element (CCE), where a CCE 1s made up of nine REGs. The number of CCEs transmitted 
(one, two, four, or eight) depends on the payload size of the DCI and the channel-coding 
rate [29]. In PDCCH transmission, only those REGs which are not assigned to PCFICH 
or PHICH are used, and multiple PDCCHs can be transmitted in a sub-frame. 


The processing of the downlink signal is shown in Figure 39. First, the DCI 
message and the RNTI are masked as a CRC attachment, which is then convolutionally 
coded with a rate of 1/3 before producing the PDCCH bits. The PDCCHs bits to be 
transmitted in a given sub-frame are then aggregated and scrambled by cell and sub- 
frame specific scrambling sequence, followed by QPSK modulation, interleaved and 


cyclically shifted prior to PDCCH resource mapping. 
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Figure 39. Downlink signal processing of the eNodeB. After [29]. 


Zi Decoding and Search Space 


Each PDCCH supports multiple formats, and the format used is unknown to the 


UE. The UE 1s informed of the number of OFDM symbols within the control region of a 
sub-frame but not explicitly informed of the detailed control channel structure. The 
control region of the sub-frame comprises of PDCCHs for multiple UEs. The UE has to 
monitor this particular area and blindly attempt to decode the control region in every sub- 
frame in order extract its own control information. The concept of UE Search Spaces 


introduced in LTE enhances the UEs’ ability to decode the control channel region 
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efficiently. Instead of decoding the entire control channel region, a UE will only try to 


decode CCEs within a pre-computed range known as the UE’s own Search Space. 


An illustration on the mapping of the search space to the respective UEs in the 
control region 1s shown in Figure 40. In this illustration, the size of the control region has 
a length of three OFDM symbols. The specific starting location where the UE begins to 
decode the CCEs corresponding to the PDCCHs is described in [36] and is calculated as 


Ly = 4, mod| N. CCE,k / Lipece | (2) 


where Z;, 1s the PDCCH search space staring location in sub-frame number k for CCE 
ageregation level Lppccy; Ncce 18 the number of CCEs in sub-frame number k; Lppccy 1s 


the CCE aggregation level, and sub-frame number & 1s an integer from 0 to 9. 


The parameter Y; 1n Equation (2) 1s determined by 


Y, = AY,,modD (3) 


where Y;.; is defined as 


Y,_, =16(UE _ID)+sub-frame number k (4) 


and A is 39822 while D 1s 65537. 
This particular search space is determined by the sub-frame number and the UE’s 
CRNTI [37]. The UE finds its PDCCH by monitoring a set of PDCCH candidates in 


every sub-frame to extract downlink control information. Within the search space, the UE 
de-masks each control candidate's CRC using its RNTI. If no CRC error is detected, the 


UE considers it as a successful decoding attempt and reads the control information within 


the successful candidate. 
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Figure 40. Search space of UEs 1n the control region. 


E. APPROACH 


The attacker acts as a combination of eNodeB and the UE. Initially, the attacker 
impersonates a UE and connects to the genuine eNodeB to obtain the cell—specific 
reference signal. At a later stage the attacker presents itself as bogus eNodeB and 
generates false messages to the victim UE. The attacker can perform a message injection 
attack on the victim UE, and this is to be performed 1n three stages. Stage 1 involves the 
extraction of the messages between the victim UE and the eNodeB to obtain Cell Radio 


Network Temporary Identifier (CRNTI). Stage 2 involves the calculation of the timing 
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advance in order to synchronize the false message frame to the victim UE. Stage 3 
involves the injection of false messages with the TPC field sub field adjusted to the 
designated value to change the behavior of the victim UE. 


1. Stage 1— Acquisition of Cell Radio Network Temporary Identifier 
(CRNTD 


CRNTI provides unique end UE identification (UEID) at the cell level, and it is 
assigned to the associated UE by the network during the initial establishment of uplink 
synchronization. To achieve fast and flexible scheduling capability, the CRNTI is 
transmitted with its scheduling information in the Layer 1 downlink control signal in 
plain text [17]. Thus, the identity, CRNTI and its related resource allocation and other 
Layer | control information are transmitted in the clear and are readable by anyone. The 
vulnerabilities of the initial establishment of uplink synchronization provide the 
opportunity for a man-in-the-middle attack machine to impersonate the legitimate UE and 
the eNodeB. The adversary can exploit the fact that CRNTI is transmitted in the clear and 


misuse it for malicious purposes. 


As mentioned in the previous section, the eNodeB can perform CRC calculation 
masked with the UE’s CRNTI on the control information, and the UE can de-mask the 
control information using its own CRNTI within the search space. Thus, with the 
captured CRNTI, the adversary can impersonate the eNodeB and inject false control 
messages with adjusted control information field at predetermined timing and change the 


intended behavior of the UE. 


Zi: Stage 2- Synchronization of Frame 


Since OFDM systems are sensitive to time and frequency synchronization error 
and in order to have the false message arrive at the UE simultaneously with the legitimate 
message generated by the eNodeB, there is a need to acquire some form of 


synchronization with the cell. 


The adversary needs to perform cell search (similar to normal UE) to acquire 
frequency and symbol synchronization to a cell, acquire frame timing of the cell that 


determines the start of the downlink frame [29], and identify the cell-specific reference 
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signal. Based on the distance between the eNodeB and adversary UE and the distance 
between the eNodeB and the victim UE, the adversary is able to calculate the time 
difference of the two UEs upon reception of the same frame from the eNodeB. With the 
calculated time difference, the adversary can determine the position of time slot relative 
to the adversary’s UE when the first OFDM symbol (control region) of the frame reaches 
the victim UE. With another round of calculation, the adversary can pre-determine the 
timing advance required for the false message to be transmitted from the adversary’s UE 
position. This enables the synchronized false message to arrive at the victim UE 


simultaneously with the legitimate message. 


Di: Stage 3- Message Injection 


The adversary is able to determine the victim UE’s search space using the pre- 
captured CRNTI and construct message to the particular UE’s search space and, 
thereafter, inject the message according to the pre-determined timing. The injected false 
message arriving at the victim UE will be of higher power than the message transmitted 
from the legitimate eNodeB; thus, the legitimate message will be overwritten. Upon 
receiving the message, the victim UE decodes the content of the control channel region 
according to the search space and processes the information such as the scheduling 


assignment and the scheduling grants. 


a. Power Requirement for Message Injection 


A typical set-up of a MITM attack is shown in Figure 41. In this set-up, 
the position of the victim UE, the attacker and the eNodeB form an extended line. The 
distance between the eNodeB and the victim UE and the transmitted power of the 
eNodeB are denoted as d; and Pr;, respectively. The distance between the malicious 
attacker and the victim UE and the transmitter power of the malicious attacker are 
denoted as dz and Pr», respectively. The received power at victim UE from eNodeB and 


attacker are denoted as Pr; and Pp >, respectively. 


The received false-signal-to-legitimate-signal ratio S/Rp,2/SIRp,; at the 


victim UE is derived in the following steps. The parameter S/Rp,; is calculated as 
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P 
Sis = (7 (5) 


where J is the total co-channel interference received, and Pr; 1s determined by 
Pri = GiGi Ps (6) 


where Gr, is the gain of the transmitter at eNodeB; Gp is the gain of the receiver at the 


victim UE; and L 1s the propagation loss. Substituting (6) into (5), we get 


LP 
iy, [SEF a 


The power law equation is determined as 
L= Bad," (8) 


where f is a proportionality constant that is a function of the antenna heights of both 
transmitter and receiver and the carrier frequency, and n is the path loss component 


factor. Substituting (8) into (7), we get 


G..G,8'd,"P. 
SIR»... = SSP AP) (9) 
I 
Similarly, for the attacker, the S/Rp, 1s calculated as 
G,.G,B'd,"P 
SiR = (See F (10) 


where G72 is the gain of the transmitter at attacker. 
Assuming Gr; = Gr2 and dividing (10) by (9), we get the received false- 
signal-to-legitimate-signal ratio as 


SIR, _{ 43"Pro an) 
SIR», a i | 


The power required for the malicious attacker to inject the false message is 
dependent on the received SIR of the victim UE. This received SIR is in turn dependent 


on both transmitters’ power, the distance between the transmitter and the receiver, and 
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the path loss component n as illustrated in (11). The set-up is assumed to be in lossy 
environment where n is four. In order to effectively overwrite the legitimate message 
from the eNodeB, the power of the injected false message must be significantly higher 


than that of the former. 
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Figure 41. Set-up position for MITM attack. 


A graph for the required power of the injected message can be derived 


based the distance ratio d/d; and the desired received false-signal-to-legitimate-signal 


ratio Pr2/Pr,; at the victim UE as shown in Figure 42. The relationship between the 
proximity of the attacker to the victim UE and the required attacker’s transmitted power 


is shown in Figure 42. 


An example is used to illustrate the required transmitted power of the 


attacker based on the various false-signal-to-legitimate-signal ratios. In this example, the 
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victim UE is located 2 km from the eNodeB, while the attacker is 200 m from the UE. 
This yields a distance ratio of 0.1. The eNodeB is transmitting at 30 W. From Figure 42, 
we see that the required transmitted power of the attacker 1s only 0.02 times the amount 
of the transmitted power of the eNodeB when the desired received SIR ratio at the victim 
UE is 3 dB. This equates to only 0.6 W of power required for the attacker’s transmitter. 
The required transmitted power of the attacker for the various remaining false-signal-to- 
legitimate-signal ratios is tabulated in Table 10. In general, the closer the attacker is to 


the victim UE, the lower the power required to conduct the attack. 
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Figure 42. Relation between the proximity of the attacker to the victim UE and the required 
attacker’s transmitted power (n=4). 


Table 10. Required transmitted power of attacker for various false-signal-to- 
legitimate-signal ratio. 


False-signal-to- Transmitted power of Transmitted 
legitimate-signal ratio attacker to eNodeB ratio power of 
(dB) (times) attacker (Watt) 





Di 


is IMPACT 


The adversary’s action has two results. First, it depletes the limited battery power 
of the UE at a faster rate and reduces the intended operation period. Second, it causes 
interference to the neighboring cells. A combination of this interference from the 
neighboring cells increases the interference perceived by the eNodeB and reduces the 
desired SIR of the eNodeB. The decoding capability at the eNodeB is determined by the 
SIR instead of the absolute received power. Thus, the increase of inferences of 
neighboring UEs to the eNodeB reduces the SIR and changes the modulation and coding 
scheme (MCS) to one, which lowers the maximum throughput. This in turn, restricts the 


legitimate UEs to accessing their desired network services at a much lower data rate. 


1. Depletion of Battery Power 


The battery lifespan of an end device is dependent on many parameters including 
the device operation system, use applications, and user profiles. These applications in 
turn determine the required bandwidth and the required transmit and receive power of the 
end device. An approximate approach is used to explore the depletion rate of the battery 
power of a device transmitting at 23 dBm, which is the maximum UE power specified in 
[24]. Typically, a bandwidth demanding application like streaming video will require 
higher transmit power for data transmission. As such, in this study, we assume the 
estimated battery life of a phone continuously streaming video or browsing the web to 
represent the battery life of the phone transmitting at 23 dBm. Also, we assume that the 
estimated battery life of the phone performing an idle push email function to represent the 
battery life of the transmitting at average power value. The estimated battery life of four 
types of LTE phones by applications is plotted in Figure 43. For purposes of comparison, 
we use the data of the Skyrocket phone to illustrate the UE depletion rate of battery 
power for the various applications. From Figure 43, it is shown that Skyrocket will have 
210 minutes of battery lifetime for streaming of video and will have 640 minutes of 
battery lifetime for idle-push email. Analogously, a phone transmitting a maximum 


power of 23 dBm has only 210 minutes of battery lifetime, which 1s a reduction of 430 
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minutes from a phone transmitting at nominal power. The phone battery lifetime 1s 


reduced to 33% of the original battery lifetime when transmitting at maximum power. 
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Figure 43. Battery lifespan of four LTE phones by applications. From [38]. 


Ze Reduction of Reverse Channel SIR 


The inter-cell interference condition is illustrated in Figure 44. The solid green 
line indicates the desired transmit signal from the legitimate UE (UE4) located at the 
corner of the outer cell of cell O to the eNodeB. Since the neighboring cell edge users 
adopt sectoring, only cells D, E and F in the first tier which are facing the intended sector 
(Channel 2) contribute to the co-channel interference (CCI). However, as none of these 
three cells are using Channel 2, the interference comes from the second tier. In the second 
tier, the only cells using Channel 2 and facing the intended sector are bottom cell A and 
two cells B. The locations of UEs are designated as UE], UE2 and UES3, respectively, as 
shown in Figure 44. The solid red lines indicate the interference generated to the eNodeB 


by UEs (UE1, UE2 and UE3) of adjacent cells. 
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Desired signal Interfering signal 


Figure 44. Reverse channel interference analysis for edge area. After [37]. 


The total co-channel interference / received by the eNodeB in cell O 1s given in 


[41] and restated as follows 


T= GrGrPr,B A GrGrPr, 4 : GrGrPr, B' (12) 
LB LA Lp 


where G7 is the gain of transmitter at the neighboring UE; Pr4, Prg and Pra: are the 
transmitted power from UE2, UEI, and UE3, respectively; and Ly, Lg and Lg: are the 
propagation loss of transmitted power from UE2, UEI1, and UE3, respectively. By 


rearranging (12), we get 
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‘— (GrGr)(Le'Pr,s +La’Pr,at+Le Prep '). (13) 


The reverse channel SIR of the cell edge area (CE) for 120°-sectoring [41] 


S7Rcg 120° 18 defined as 


SIR... = Pe (14) 


where Pro is the received power from UE4 (legitimate user) and is calculated as 


Pr,o = GrGrLo™'Pr,o (15) 


where Lo is the propagation path loss between UE4 and eNodeB, and Pro 1s the 
transmitted power of UE4. Substituting (13) and (14) into (15), we obtain 


GrGrLlo Pr,o } (16) 


SER ce 120 7 fs (La'Pr, B+La’Pr,at+Ls"' Pr,B ') 


where Lz, Ly, Lg and Lo are the path losses for UE], UE2, UE3 and UE4, respectively. 


The Lz value is calculated as 


Le= Bs! Be (17) 


where fg 1S a proportionality constant that is a function of the antenna heights of UE1, 


and eNodeB, and R 1s the radius of the cell. The L, value is calculated as 


—n 


LS pa [28 R) (18) 


where 4 1S a proportionality constant that is a function of the antenna heights of UE2 and 


eNodeB. The Lp: value is calculated as 
Dz'= Bs (J7R)~ (19) 


where fg’ 1S a proportionality constant that is a function of the antenna heights of UE3 


and eNodeB. The Lo value 1s calculated as 


Lo= Bo 'R" (20) 
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where fo is a proportionality constant that is a function of the antenna heights of UE4 and 
eNodeB. 


Substituting (17) to (20) into (16), we determine S/Rcg 120° as 


(Bo'R" )Pr.o 


STRee oy = [(A0°( Six)" Pr.o+( Bor (2x)")Pr.a+ (60° (an) Pro] | 


(21) 


Assuming that So=f4=/3=62' for the coverage area, we get the reverse channel 


SIR of the CE as 


Pr,o 


SIR og 9° = ne ee ee, 
a Pr.o-+{33] Pr,a+(v7] Pre’ 


(22) 


From (22), we observe that the SIR 1s dependent on the power transmitted by the 
UEs and is independent of the cell radius. The average SIR can be computed to indicate 
the average SIR experienced by the eNodeB and 1s given by 
M 
DE jag » p; SIR, (23) 


i=l 


where S/R; represents the SIR experienced by the eNodeB computed by the respective 
transmitted power combination of UE], UE2, UE3 and UE4 as shown in Table 11. The 
parameter p; represents the probability of that SIR value occurring, computed within the 
specified transmitted power range, and M represents the number of transmitted power 


combinations of UE1, UE2, UE3 and UE4. 


Two types of average SIR, namely STR 4ye norma and STR Aye maximum e@Xperienced by 
the eNodeB are computed. The S/Raye normal 18S the average SIR experienced by the 
eNodeB based on the normal scenario where all the interfering power is random. On the 
other hand, SYR4ye maximum 18 the average SIR experienced by the eNodeB based on the 


extreme scenario where all the interfering power is at a maximum. 
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To formulate the value of the average S/R ye normal experienced by eNodeB, it is 
assumed that sampling is performed on the transmitted power of UE1, UE2, UE3 and 
UE4. The transmitted powers can assume one of the twenty values, which range from 10 
mW to 200 mW with steps of 10 mW. The S7R4y¢ normal IS Computed based on (22) and 
(23), with various input combinations for the different transmitted power of UE], UE2, 
UE3 and UE4. There is a total of 20° =160,000 combinations of SIR with run-number 1 
computed based on transmitted power of UE], UE2, UE3 and UE4 being 10 mW and run 
number 160,000 based on transmitted power of UE], UE2, UE3 and UE4 being 200 mW 
as shown in Table 11. A relatively lossy environment with n 4 is assumed in the 
computation, and p; is 1l/(number of combinations) where each combination of 


transmitted power is equally likely to occur. 


The results of the S7R4vyenormal for the various combinations of the transmitted 
power are simulated using Matlab code and are shown in Figure 45. The enlarged figure 


for the first 100 combinations is shown in Figure 46. 


Region | can be observed in Figure 45, while region 2 1s illustrated in Figure 46, 
which shows the first 100 data points of Figure 45. In region | of Figure 45, formed by 
the first 8,000 combination runs, the SIR increases significantly to 10 dB at combination 
run-number 21 as compared to the previous run. This occurs when the transmitted power 
of UE3 is reset to 10 mW, while the transmitted power of UE2 is set to 20 mW. There 1s 
an overall decrease in the interfering power from combination run-number 20 to 21. The 
SIR generally follows a downward trend for this region until the transmitted power of 
UE4 1s set to 20 mW. At combination run-number 8,001, the SIR increases significantly 
as the desired transmitted power of UE4 is set 20 mW as compared to the previous 
10,000 combinations where the transmitted power of UEF4 1s at 10 mW. This pattern can 
be observed for the subsequent 15,000 combination runs. Overall, the SIR increases as 


the desired transmitted power of UE4 increases. 


We observe that in region 2 of Figure 46, formed by the first 20 combination runs, 
the SIR decreases as the interfering power of UE3 increases from 10 mW to 200 mW for 
corresponding runs while the transmitted power of UE], UE2, and UE4 remain at 10 


mW. The SIR is inversely proportional to the interfering power. 
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Table 11. | Various input combinations of UEs’ transmitted power to compute 
STR Ave, normal: 
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Figure 45. 
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Combination run number x 10° 


Signal-to-interference ratio for various combinations of UEs’ transmitted power 
(UEI, UE2, UE3 and UEF4 range from 10 mW to 200 mW). 
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Figure 46. Signal-to-interference ratio for first 100 combination of UEs’ transmitted power 
to compute STR 4y¢ normal: 


A Matlab simulation code is used to calculate the average SIRavenormal 


experienced by eNodeB according to (23) and the computed value is 11.7 dB. 


When UE1, UE2 and UE3 are transmitting at maximum power of 200 mW each, 
several assumptions were adopted to formulate the value of S7R4ye. maximum EXperienced by 
the eNodeB. First, it is assumed that the interfering transmitted power of UEI, UE2 and 
UE3 was fixed at 200 mW. Second, the transmitted power of UE4 can assume one of the 
20 values, which ranges from 10 mW to 200 mW with steps of 10 mW. The 
STR Aye maximum 18 Computed based on the various combinations of different transmitted 
powers of UE1, UE2, UE3 and UE4. There are a total of 20 combinations of SIR with 
run-number | computed based on transmitted powers of UEI, UE2 and UE3 being 200 
mW and UF4 being 10 mW, while run-number 20 is based on transmitted powers of 
UE1, UE2, UE3 and UE4 being 200 mW as shown in Table 12. Third, a relatively lossy 
environment with n 4 is assumed, and the parameter p;1s 1/ (number of combinations), 
where each combination of transmitted power is equally likely to occur. With these 
assumptions, the value of the average SIRave, maximum e€Xperienced by eNodeB was 


formulated. 
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Table 12. Various input combinations of UEs’ transmitted power to compute 
SIR 4ve,maximum- 


Transmitted power (mW) 


Combination UE4 UEI1 UE2 UE3 
Number (Desired) | (Interfering) | (Interfering) | (Interfering) 





The results of the S7R4ye maximum are simulated using Matlab code, and they are 
shown in Figure 47. In Figure 47, we observe that when the transmitted power of UE4 1s 
10 mW, the SIR is -2dB. This is because the overall CCI is higher than the desired 
received signal of UE4, which resulted in the negative SIR. Overall, the SIR increases as 
the desired transmitted power of UE4 increases. A Matlab simulation code is used to 
calculate the S7R4ye. maximum €Xperienced by eNodeB, and the computed average value 1s 


8.3dB. 


The results show that there is a reduction in SIR of eNodeB by 3.4 dB, which 1s 
calculated as 11.7 dB - 8.3 dB, when the interfering transmitted power of UEs (UE1, UE2 
and UE3) are fixed at maximum of 200 mW as compared to when the interfering 
transmitted power of UEs varied from 10 mW to 200 mW. This lowers the MCS that can 
be adapted by the victim UE with the eNodeB and reduces the data throughput 


significantly. 


The maximum throughput that can be achieved by a given MCS is the product of 
the coding rate and the number of bits per modulation symbol [39]. Coding refers to 


addition of redundant bits to the data bits and provides forward error correction on the 
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received bits, while coding rate is the proportion of the code bits to the data bits. The 
order of modulation refers to the number of coded bits which can be transmitted per 


modulation symbol. 
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Figure 47. Signal-to-interference ratio for various combinations of UEs’ transmitted power 
(UEI, UE2 and UE3 are fixed at 200 mW). 


A graph of throughput for various MCS as a function of SINR 1s displayed in 
Figure 48 [38]. Since mobile network 1s interference-limited where SNR has negligible 
effect, SINR can be approximated to SIR [42]. Thus, Figure 48 is plotted against SINR 
and can be used directly for our evaluation. A particular MCS requires a certain SIR in 
order to operate with a suitably low bit error rate at the output. In general, a MCS with a 
higher throughput requires a higher SIR. From Figure 48, we observe that to maximize 
the throughput at around 11.7 dB, MCS-10 (16 QAM, R=4/5) corresponding to 
throughput of 3.2 bits per second per hertz is the suitable MCS. When the SIR is reduced 
to 8.3 dB, the MCS is MCS-8 (16 QAM, R=1/2), which corresponds to only 2.0 bits 
second per hertz. Thus, the reduction in SIR of eNodeB from 11.7 dB to 8.3 dB will 
decrease the maximum throughput of the UE by 37.5% from 3.2 bits per second per hertz 
to 2.0 bits per second per hertz. 
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Figure 48. Throughput of a set of coding and modulation combination. From [39]. 
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Vv. CONCLUSIONS AND FUTURE WORK 


A. CONCLUSIONS 


This study consists of a comprehensive investigation of the LTE specifications 
pertaining to Layer 2 protocols. As discussed in the literature review, the previous studies 
on the security exploitation of Layer 2 protocols are not exhaustive. These studies are 
limited to listing security vulnerabilities and do not elaborate further on the details and 


the impact of respective threats. 


This research has identified other potential vulnerabilities in the Layer 2 protocol 
and demonstrated the potential of exploiting the unprotected power control message and 
extracted CRNTI to change the intended behavior of the UEs. In particular, the victim UE 
is tricked by a false message generated by a bogus eNodeB to transmit at a much higher 
than required power, which introduced significant inter cell interference to the adjacent 


eNodeB. 


The impacts of the attack include depleting the limited battery power of the victim 
UE at a much faster rate and reducing the reserve channel SIR of the eNodeB. The 
intended phone battery lifetime is reduced to 33% of the original battery lifetime when 
transmitting at maximum power. The simulation results show that there is a reduction in 
reverse channel SIR of eNodeB by 3.4 dB, and this decreases the maximum possible 
throughput of the UE by 37.5% from 3.2 bits per second per hertz to 2.0 bits per second 


per hertz. 
B. FUTURE WORK 
if Verification and Validation of Desired Received SINR 


One important practical consideration that influences the amount of interference 1s 
the changing environment where the LTE may be deployed, and the environment can 
affect the path loss. This variation in environment was not simulated in this thesis. In 
addition, the received SINR determines a range of MCS that can be adopted by the UE, 
and the throughput varies for a different MCS at the same SINR. In this thesis, the 


analysis is based only on the maximum possible throughput. The actual throughput loss 
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experienced by the UE when it operates with a SINR of 11.7 dB instead of 8.3 dB may 
even be larger. Collection of the actual data can be used to validate and refine the results 


of this research. 


pa Investigation on Other Control Messages 


A thorough investigation can be conducted on RRC layer, in particular to the 
unprotected RRC signaling. Some of these messages can be sent unprotected prior to 
security activation, and some of the messages can be sent unprotected even after security 


activation. The details on these messages can be found in 3GPP.36.331. 
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APPENDIX A- MATLAB SIMULATIONS 


Ay CALCULATION AND PLOT OF FALSE SIGNAL TO LEGITIMATE 
SIGNAL RATIO 


clear all; 
close all; 


nm = 4. 
P=0.01:0.01: 
ZoOBm, thar 


I=L; 

improvement _ 
improvement _ 
improvement _ 
improvement _ 


rer disse tau 


end 
1s 
Or dist. rat 


end 
rial 
for dist Tat 


end 
T= 13 
for dist Trav 


end 

figure; 
semilogy (0.0 
hold on; 
semilogy (0.0 
hold on; 
semilogy (0.0 
hold on; 


6Path loss exponent 


O25 S6From LTE (Rel-8), the maximum UE transmit power is 
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semilogy(0.0570.025r1r1, Display 1308 , *mMaqenta=*) 

grid on; 

legend( 'Received ratio(Pr2/Prl1) of 3dB', 'Received ratio(Pr2/Prl1) of 
6dB', 'Received ratio(Pr2/Prl1) of 10dB', 'Received ratio(Pr2/Prl1) of 
isce").: 


xlabel (*Ratio of distance (02/01) *) 

ylabel('Ratio of transmitted power (Pt2/Ptl1) (%)") 

title('Plot of relationship between ratio of distance vs ratio of 
transmitted power for various received power ratio') 


B. CALCULATION AND PLOT OF SIRave, norma 


Clear all; 
close all; 


n = 4; +Path loss exponent 
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end 


end 


figure, plot(Display, 'blueo', 'Markersize', 1); 

xlabel ('Combination run number') 

ylabel ('Signal-to-interference ratio (dB)') 

title('Plot of Signal-to-interference ratio for various combinations of 
UES transmitted power') 


C. CALCULATION AND PLOT OF SIRave, maximum 


Clear all; 
Close all; 
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end 


Ligure, ploe (10210: 200,Display) ; 

xlabel('Transmitted power of UE4 (mW) ') 

ylabel ('Signal-to-interference ratio (dB)') 

title('Plot of Signal-to-interference ratio for various transmitted 
power of UE4 (Desired) ') 
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